feat: Add security restriction configurations to all service files

- Use the deepin-daemon user to run services whenever possible,
  reducing privilege risks;
- Add a D-Bus policy to allow the deepin-daemon user to invoke the
  HandleSystemEvent method;
- Deny users other than root and deepin-daemon from calling
  HandleSystemEvent, strengthening access control;
- "Remove the unused update-metadata-info related scripts and
  services.

Task: https://pms.uniontech.com/task-view-385069.html

Author: electricface

debian/lastore-daemon.postinst

@@ -10,7 +10,6 @@ case "$1" in
             [ -e /lib/systemd/dbus-org.deepin.dde.Lastore1.service ] && rm /lib/systemd/system/dbus-org.deepin.dde.Lastore1.service || true
         fi
         systemctl daemon-reload || true
-        /var/lib/lastore/scripts/update_metadata_info || true
         /var/lib/lastore/scripts/build_system_info || true
         # Fix the problem that the machine id is the same after the system is installed.
         if [ -f /etc/machine-id ] && grep -q "a5fa4f1b04514009830c73f3b1f1dd4c" /etc/machine-id; then

lib/systemd/system/lastore-abort-auto-download.service

@@ -3,5 +3,20 @@ Description=System Update Auto Download Abort Service
 Wants=lastore-daemon.service
 
 [Service]
+CapabilityBoundingSet=
+ExecStart=/usr/bin/dbus-send --system --print-reply --dest=org.deepin.dde.Lastore1 /org/deepin/dde/Lastore1 org.deepin.dde.Lastore1.Manager.HandleSystemEvent string:AbortAutoDownload
+InaccessiblePaths=-/etc/shadow -/etc/pam.d/ -/etc/NetworkManager/system-connections/ -/etc/security/ -/etc/selinux/ -/etc/deepin-elf-verify/ -/etc/filearmor.d/ -/etc/crypttab -/etc/fstab -/sysroot/ostree/repo/ -/persistent/ostree/repo/
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateIPC=true
+PrivateTmp=true
+ProtectClock=true
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=strict
+RestrictSUIDSGID=true
 Type=oneshot
-ExecStart=/usr/bin/dbus-send --system --print-reply --dest=org.deepin.dde.Lastore1 /org/deepin/dde/Lastore1 org.deepin.dde.Lastore1.Manager.HandleSystemEvent string:AbortAutoDownload
+User=deepin-daemon

lib/systemd/system/lastore-after-upgrade-check.service

@@ -3,8 +3,26 @@ Description=generate config file for check system
 Before=display-manager.service
 
 [Service]
-Type=oneshot
+
+# PrivateTmp=true is not set because it needs to use /tmp to save state
+
+CapabilityBoundingSet=
 ExecStart=/var/lib/lastore/scripts/gen_upgrade_check_config.sh
+InaccessiblePaths=-/etc/shadow -/etc/pam.d/ -/etc/NetworkManager/system-connections/ -/etc/security/ -/etc/selinux/ -/etc/deepin-elf-verify/ -/etc/filearmor.d/ -/etc/crypttab -/etc/fstab -/sysroot/ostree/repo/ -/persistent/ostree/repo/
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateIPC=true
+ProtectClock=true
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=strict
+ReadWritePaths=/tmp/
+RestrictSUIDSGID=true
+Type=oneshot
+User=deepin-daemon
 
 [Install]
 WantedBy=multi-user.target

lib/systemd/system/lastore-auto-download.service

@@ -3,5 +3,19 @@ Description=System Update Auto Download Service
 Wants=lastore-daemon.service
 
 [Service]
+CapabilityBoundingSet=
+ExecStart=/usr/bin/dbus-send --system --print-reply --dest=org.deepin.dde.Lastore1 /org/deepin/dde/Lastore1 org.deepin.dde.Lastore1.Manager.HandleSystemEvent string:AutoDownload
+InaccessiblePaths=-/etc/shadow -/etc/pam.d/ -/etc/NetworkManager/system-connections/ -/etc/security/ -/etc/selinux/ -/etc/deepin-elf-verify/ -/etc/filearmor.d/ -/etc/crypttab -/etc/fstab -/sysroot/ostree/repo/ -/persistent/ostree/repo/
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateIPC=true
+PrivateTmp=true
+ProtectClock=true
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+RestrictSUIDSGID=true
 Type=oneshot
-ExecStart=/usr/bin/dbus-send --system --print-reply --dest=org.deepin.dde.Lastore1 /org/deepin/dde/Lastore1 org.deepin.dde.Lastore1.Manager.HandleSystemEvent string:AutoDownload
+User=deepin-daemon

lib/systemd/system/lastore-build-system-info.service

@@ -2,9 +2,28 @@
 Description=Build system info
 
 [Service]
-Type=idle
-StartLimitInterval=10s
-StartLimitBurst=20
-RestartSec=5s
-Restart=on-failure
+
+# MemoryDenyWriteExecute=true is not set because the script calls lastore-tools (a Go program compiled with -pie option) which would fail.
+# ProtectProc=invisible is not set because the script uses pgrep to check if processes are running
+
+CapabilityBoundingSet=
 ExecStart=/var/lib/lastore/scripts/build_system_info -now
+InaccessiblePaths=-/etc/shadow -/etc/pam.d/ -/etc/NetworkManager/system-connections/ -/etc/security/ -/etc/selinux/ -/etc/deepin-elf-verify/ -/etc/filearmor.d/ -/etc/crypttab -/etc/fstab -/sysroot/ostree/repo/ -/persistent/ostree/repo/
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateIPC=true
+PrivateTmp=true
+ProtectClock=true
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+ReadWritePaths=/var/
+Restart=on-failure
+RestartSec=5s
+RestrictSUIDSGID=true
+StartLimitBurst=20
+StartLimitInterval=10s
+StateDirectory=lastore
+Type=idle
+User=deepin-daemon

lib/systemd/system/lastore-daemon.service

@@ -3,12 +3,28 @@ Description=Deepin Lastore Daemon
 After=display-manager.service
 
 [Service]
-Type=dbus
+
+# CapabilityBoundingSet= is not set because it would cause apt execution errors, such as setegid and other operations failing due to insufficient permissions.
+# InaccessiblePaths is not set because dpkg needs to be called to upgrade the system.
+# MemoryDenyWriteExecute=yes is not set because this is a Go program compiled with -pie option, which would prevent the process from starting.
+# PrivateDevices=true is not set because grub-mkconfig is executed when creating backup deployment.
+# PrivateTmp=true is not set because it relies on /tmp to record state.
+# ProtectHome=true is not set because sudo is needed to connect to the user Session Bus and send DDE message notifications.
+# ProtectKernelModules=true is not set because kernel packages need to be installed
+# ProtectProc=true is not set because it needs to access caller process environment variables.
+# ProtectSystem=strict is not set because dpkg needs to be called to upgrade the system.
+# RestrictSUIDSGID=true is not set because some packages may need to set SUID and SGID during installation.
+# StateDirectory=lastore is not set because it would conflict with the ownership of smartmirror-daemon and build-system-info services, which need to be owned by deepin-daemon, and enabling this would set the owner to root.
+
 BusName=org.deepin.dde.Lastore1
-ExecStart=/usr/libexec/lastore-daemon/lastore-daemon
-StandardOutput=null
-StandardError=null
-StateDirectory=lastore
 CacheDirectory=lastore
+ExecStart=/usr/libexec/lastore-daemon/lastore-daemon
+NoNewPrivileges=true
+PrivateIPC=true
+ProtectClock=true
+ProtectKernelTunables=true
 RuntimeDirectory=lastore
-RuntimeDirectoryMode=0750
+RuntimeDirectoryMode=0750
+StandardError=null
+StandardOutput=null
+Type=dbus

lib/systemd/system/lastore-smartmirror-daemon.service

@@ -5,35 +5,31 @@ Wants=dbus.socket
 After=dbus.socket
 
 [Service]
-Type=dbus
+# Cannot set PrivateNetwork=yes because network access is required.
+# Cannot set MemoryDenyWriteExecute=yes because this is a Go program compiled with -pie option, which would prevent the process from starting.
 BusName=org.deepin.dde.Lastore1.Smartmirror
-User=deepin-daemon
+CapabilityBoundingSet=
 ExecStart=/usr/libexec/lastore-daemon/lastore-smartmirror-daemon
-StandardOutput=null
-StandardError=journal
-
-ProtectSystem=strict
-StateDirectory=lastore
-InaccessiblePaths=/etc/shadow
-InaccessiblePaths=-/etc/NetworkManager/system-connections
-InaccessiblePaths=-/etc/pam.d
-InaccessiblePaths=-/usr/share/uadp/
-
+InaccessiblePaths=-/etc/shadow -/etc/pam.d/ -/etc/NetworkManager/system-connections/ -/etc/security/ -/etc/selinux/ -/etc/deepin-elf-verify/ -/etc/filearmor.d/ -/etc/crypttab -/etc/fstab -/sysroot/ostree/repo/ -/persistent/ostree/repo/
+LockPersonality=yes
 NoNewPrivileges=yes
-ProtectHome=yes
-ProtectKernelTunables=yes
-ProtectKernelModules=yes
-ProtectControlGroups=yes
+PrivateDevices=yes
+PrivateIPC=true
 PrivateMounts=yes
 PrivateTmp=yes
-PrivateDevices=yes
-# 需要联网
-#PrivateNetwork=yes
 PrivateUsers=yes
+ProtectClock=true
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
+RemoveIPC=yes
 RestrictNamespaces=yes
-LockPersonality=yes
 RestrictRealtime=yes
-RemoveIPC=yes
-# 和golang -pie参数冲突，导致进程无法启动
-#MemoryDenyWriteExecute=yes
-#MemoryLimit=100M
+RestrictSUIDSGID=true
+StandardError=journal
+StandardOutput=null
+StateDirectory=lastore
+Type=dbus
+User=deepin-daemon

lib/systemd/system/lastore-update-metadata-info.service

@@ -662,9 +662,6 @@ func (m *Manager) handleAutoCheckEvent() error {
 			return err
 		}
 	}
-	if !m.config.DisableUpdateMetadata && !m.ImmutableAutoRecovery {
-		startUpdateMetadataInfoService()
-	}
 	return nil
 }
 

src/lastore-daemon/manager.go

@@ -10,6 +10,8 @@ import (
 	"fmt"
 	"math/rand"
 	"os/exec"
+	"os/user"
+	"strconv"
 	"strings"
 	"time"
 
@@ -26,6 +28,7 @@ const (
 	lastoreUnitCache = "/tmp/lastoreUnitCache"
 	run              = "systemd-run"
 	lastoreDBusCmd   = "dbus-send --system --print-reply --dest=org.deepin.dde.Lastore1 /org/deepin/dde/Lastore1 org.deepin.dde.Lastore1.Manager.HandleSystemEvent"
+	deepinDaemonUser = "deepin-daemon"
 )
 
 // isFirstBoot startOfflineTask执行前执行有效
@@ -38,7 +41,6 @@ type systemdEventType string
 const (
 	AutoCheck              systemdEventType = "AutoCheck"
 	AutoClean              systemdEventType = "AutoClean"
-	UpdateInfosChanged     systemdEventType = "UpdateInfosChanged"
 	OsVersionChanged       systemdEventType = "OsVersionChanged"
 	InitIdleDownload       systemdEventType = "InitIdleDownload"
 	AutoDownload           systemdEventType = "AutoDownload"
@@ -334,20 +336,45 @@ func (m *Manager) getNextUpdateDelay() time.Duration {
 	return remained + _minDelayTime
 }
 
+// isAllowedToTriggerSystemEvent checks if the uid is allowed to trigger system events
+func isAllowedToTriggerSystemEvent(uid uint32, eventType systemdEventType) bool {
+	// Allow regular users to trigger OsVersionChanged event
+	// TODO: This should be fixed in the future to only allow restricted users to trigger this event.
+	if eventType == OsVersionChanged {
+		return true
+	}
+
+	// Allow root user for all operations
+	if uid == 0 {
+		return true
+	}
+
+	// Allow deepin-daemon user for all operations
+	if u, err := user.Lookup(deepinDaemonUser); err == nil {
+		if daemonUID, err := strconv.ParseUint(u.Uid, 10, 32); err == nil && uid == uint32(daemonUID) {
+			return true
+		}
+	}
+
+	return false
+}
+
 func (m *Manager) delHandleSystemEvent(sender dbus.Sender, eventType string) error {
 	uid, err := m.service.GetConnUID(string(sender))
 	if err != nil {
 		logger.Warning(err)
 		return dbusutil.ToError(err)
 	}
-	if uid != 0 && systemdEventType(eventType) != OsVersionChanged {
-		err = fmt.Errorf("%q is not allowed to trigger system event", uid)
+
+	evType := systemdEventType(eventType)
+	if !isAllowedToTriggerSystemEvent(uid, evType) {
+		err = fmt.Errorf("uid %d is not allowed to trigger system event %v", uid, evType)
 		logger.Warning(err)
 		return dbusutil.ToError(err)
 	}
+
 	m.service.DelayAutoQuit()
-	typ := systemdEventType(eventType)
-	switch typ {
+	switch evType {
 	case AutoCheck:
 		go func() {
 			err := m.handleAutoCheckEvent()
@@ -363,9 +390,6 @@ func (m *Manager) delHandleSystemEvent(sender dbus.Sender, eventType string) err
 				logger.Warning(err)
 			}
 		}()
-	// case UpdateInfosChanged:
-	// 	logger.Info("UpdateInfos Changed")
-	// 	m.handleUpdateInfosChanged()
 	case OsVersionChanged:
 		go updateplatform.UpdateTokenConfigFile(m.config.IncludeDiskInfo)
 	case InitIdleDownload: